Executive Summary

CVE-2026-12779 is a local privilege escalation vulnerability in AOMEI Dynamic Disk Manager version 10.10.1, specifically in its kernel driver called ddmdrv.sys.

The vulnerability arises because the driver exposes a device interface (\\.\ddmwrt) to standard local users, allowing them to perform raw disk read and write operations that normally require administrative privileges.

This bypasses Windows' built-in access controls that prevent non-administrative users from directly accessing physical disks.

As a result, unprivileged users can tamper with critical disk structures such as file-system metadata, boot records, registry hives, or privileged files by leveraging raw sector access.

The root cause is the driver's failure to enforce proper authorization checks and secure device creation.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows a local user without administrative privileges to gain unauthorized access to raw disk operations.

An attacker could modify critical disk data such as file system metadata, boot records, registry hives, or other privileged files.

Such tampering can lead to system instability, data corruption, unauthorized persistence, or full privilege escalation on the affected system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for the presence of the vulnerable kernel driver `ddmdrv.sys` used by AOMEI Dynamic Disk Manager version up to 10.10.1. Specifically, the driver exposes the device `\\.\ddmwrt` which allows local users to perform raw disk read/write operations.

To detect exploitation or attempts, you can look for unusual access or writes to the device path `\\.\ddmwrt\Partition0\DISK1` or similar device interfaces exposed by the driver.

Suggested commands to check for the driver and device presence on a Windows system include:

• Use PowerShell or Command Prompt to list loaded drivers and check for `ddmdrv.sys`:
• - `driverquery | findstr ddmdrv.sys`
• Check for the device object exposed by the driver using Sysinternals tools or device manager.
• Monitor for processes or users accessing `\\.\ddmwrt` device path, which can be done by enabling auditing on device access or using tools like Process Monitor (ProcMon) to filter for `ddmwrt` activity.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable device interface `\\.\ddmwrt` to prevent unprivileged users from performing raw disk operations.

Suggested actions are:

• Remove or restrict the device access by applying secure device descriptors (e.g., using `IoCreateDeviceSecure`) to enforce proper authorization.
• Limit or disable the driver if possible until a patched version is available.
• Ensure that only trusted administrative users have access to the device and related disk operations.
• Monitor and audit access to the device to detect any unauthorized attempts.

Since the vendor has not responded or provided a patch, these mitigations focus on access control and monitoring to reduce risk.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows local users to bypass access controls and perform raw disk read/write operations, potentially tampering with critical disk structures such as file-system metadata, boot records, registry hives, or privileged files.

Such unauthorized access and modification of sensitive data could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Therefore, exploitation of this vulnerability may compromise the confidentiality and integrity of protected data, impacting compliance with these common standards and regulations.

Useful 0 Not Useful 0